Pre-launch policy baseline · 11 Jul 2026
Clear boundaries before data, disclosure, or testing.
This page explains how the current site behaves and the minimum boundaries for enquiries and authorized assessment work. It is not a substitute for a signed service agreement, privacy review, or Rules of Engagement.
Nothing on cyberkareem.com, including security.txt, authorizes testing of this site, a named organization, or any third party.
Current site behavior
Privacy and external channels
The current application code does not operate a first-party form, user account, newsletter, payment flow, or analytics-cookie system. Hosting infrastructure may process ordinary request logs for site delivery, abuse prevention, and security.
LinkedIn, GitHub, X, credential providers, and lab platforms are external services with their own privacy terms. Information sent through those services is processed by those providers. Send only the minimum introductory context needed to request a private channel.
Commercial enquiries
An enquiry is not an engagement.
An initial assessment enquiry may identify the organization, requester role, service category, high-level asset type, desired outcome, timing, and authorization owner. Do not include target URLs, IP addresses, credentials, source code, vulnerability evidence, personal data, or confidential architecture.
No assessment starts until fit, professional obligations, contracting authority, written authorization, scope, and Rules of Engagement are confirmed. A separate signed agreement controls the actual engagement.
Responsible disclosure
Coordinate before sharing sensitive evidence.
The public contact path currently supports identity establishment and a request for a private channel. It is not an encrypted intake channel. Sensitive vulnerability reports cannot be accepted safely until a suitable private channel is confirmed.
The disclosure guidance supports coordination concerning published CyberKareem research and legitimate inbound vulnerability contact; it does not create a bug-bounty program or authorize testing.
Authorized assessment baseline
Rules are part of the work.
- The legal owner and authorized client representative must be identified.
- Assets, environments, accounts, dates, third parties, and permitted techniques must be written into scope.
- Emergency contacts, stop conditions, evidence handling, and reporting recipients must be agreed.
- Social engineering, denial of service, persistence, destructive testing, and real-user-data access remain excluded unless explicitly and safely authorized.
- Cloud, hosting, wireless, and other third-party provider requirements remain the client’s responsibility to confirm.
Independent engagements are accepted only where professional obligations, conflicts, legal contracting requirements, and any required third-party approvals permit. No current or former employer is represented as endorsing this independent site.
Minimum detail first
Choose the appropriate contact path.
Use the contact page to start an assessment enquiry or request a private disclosure channel without sending sensitive material.
Open contact paths